Description

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Aliases

Nod32 - Win32/Spy.Zbot.AAO trojan

Symantec - Trojan.Gen

Microsoft - PWS:Win32/Zbot

Norman - W32/ZBot.BJKJ (trojan)

Avira - TR/Spy.ZBot.EB.107

Indication of Infection

Presence of above mentioned files and registry keys.

Presence of above mentioned activities.

It connects to the the following sites and downloads malicious files

[removed]eaarc.com/down/update10h.rar

[removed]eaard.com/down/hou.rar

[removed]eaarb.com/down/hou.rar

Methods of Infection

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

Virus Characteristics

”Generic Downloader.g” is a detection for a potentially unwanted program which is not a virus or Trojan. It downloads and installs Radsteroids, which displays pop-up ads, advertisement banners and sponsored links within Internet Explorer, Firefox and Google Chrome.

During installation the file encountered some problem and crashed, but the file tried to install Radsteroids.

" Generic Downloader.g " is a worm that may propagate via removable drives or network shares. Also, it is designed to download other malicious files.

Upon execution, worm creates the following files in the below location:

:[Removabledrive]\starter.exe

Also it drops an autorun.inf file into the root of all removable drives and mapped drives in an attempt to autorun an executable when the drive is accessed.

The file "AutoRun.inf" is pointing to the malware binary executable, when the removable or networked drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.

The autorun.inf is configured to launch the Worm file via the following command syntax.

The above registry entry confirms that the Worm gets executed upon every system boot.

Worm creates the mutex in the following name

#xP#J4DG

------------------------Updated on December 12th 2013--------------------

Aliases

Microsoft - TrojanDownloader:Win32/Upatre.J

Kaspersky - Trojan.Win32.Agent.ibgu

Symantec - Trojan.Zbot

“Generic Downloader.g” is detection for a Trojan that download malicious file from remote server and executes in user system. It also steals sensitive information from the compromised machine and sends it to the remote attacker. It spread via spam mail as attachment. The Trojan may delete itself after the execution.

“Generic Downloader.g” steals information from stored passwords, cache and cookies from the following applications:

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).